I'm in the process of writing a webapp in C++ using FastCGI with lighttpd. The reason I'm doing this the painful way is because the end product will go on an embedded device. Originally, I didn't know about FCGI modes; I thought everything was basically a responder. Then I learned about authorizers, and I've been trying to enable support for it.
Lighttpd seems to have no trouble putting an authorizer in front of static content, but when I try to protect another FCGI script it gives me 403 forbidden.
I've done a lot of research, and come to some conclusions:
For the record, I'm using lighttpd 1.4.28 (x86 and ARM) and custom authentication (password hashed on client with SHA-512), because (1) TLS is impossible/unnecessary for this application, (2) basic HTTP authentication is not good enough, (3) digest authentication is broken in lighttpd, and (4) this isn't really intended to be a secure system anyway.
Here's the relevant part of my lighttpd.conf file:
fastcgi.server = (
"main.fcgi" =>
(( "mode" => "responder",
"bin-path" => "/var/fcgi/main.fcgi",
"socket" => "/tmp/fcgi.sock",
"check-local" => "disable",
"max-procs" => 1
)),
"/" =>
(( "mode" => "authorizer",
"bin-path" => "/var/fcgi/auth.fcgi",
"socket" => "/tmp/fcgi.sock",
"check-local" => "disable",
"max-procs" => 1,
"docroot" => "/var/fcgi"
))
)
To wrap it up, can anyone give me guidance on using an FCGI authorizer to control access to other FCGI scripts(/binaries), instead of just static files, on lighttpd? It would also be nice to get variable-passing working. Thanks for reading this far!
Update: lighttpd fixed this in lighttpd 1.4.42, released back in 2016.